If you will use DNS names in /ip ipsec peer configurations, you can skip the respective part in ipsec-peer-update script mentioned later in this guide, but it is still required to update the IP address of sa-dst-address in IPSec policy, in case the remote router’s public IP has changed. RouterOS 6.41 (2017-Dec-22) introduced possibility to use DNS name as IPSec peer address instead IP address.Therefore in RouterOS firewall you need to allow only 4500/UDP. Additionally, IKEv2 NAT traversal ensures that if connection cannot be created directly between two peers, port 4500/UDP is used. Except the security improvements, it has embedded the “dead peer detection” and “NAT traversal”, which makes the configuration easier. IKEv2 is also more recent and updated version of the key exchange mode than previously available modes. This mode can be used to improve the security of the tunnel establishment, so I’ve updated the examples in this article accordingly. RouterOS 6.38 (2016-Dec-30) added IKEv2 support as key exchange mode for IPSec.But GCM is more secure than CBC, so I recommend to upgrade the RouterOS to the latest version and try with GCM at first. Therefore I have updated the example to use AES CBC, which proved to be stable. This issue occurred for me at least on Router OS versions 6.38 – 6.39.1. I have experienced tunnel instability when upload link ( provided by ISP ) has been overloaded and when IPSec tunnel was configured with AES GCM.Also there is a lot of useful documentation about IPSec VPN on MikroTik Wiki – check it out.I successfully tested the setup on 2x Mikrotik hAP lite classic devices, each running behind different routers ( in one case Draytek Vigor 2700 and Ubee EVW3226, in another case TP-Link TD-W8951NB and Compal CH7465LG ).Names of interfaces on MikroTik routers in this example are:.In any case, make sure that if you are going to use PSK method then you need to use a different secret than the one in the examples – also don’t forget that the secret needs to be the same on both sides. IPSec tunnel setup in examples uses pre-shared-key authentication method, which has been chosen only for demonstrative purpose and more secure method should be considered.Before you use or change these settings, make sure you know what you are doing. Examples contain some additional security settings which can provide better security. Before the start, make sure that you have a separate access to each router, in case you will break your connection.I didn’t find any guide which would describe this setup, so I created one.Both public network connections change public IP occasionally.Each MikroTik router has IPSec NAT-Traversal (4500/UDP) forwarded from its gateway (ISP Router).Each MikroTik router is behind a NAT and have private network range on WAN ports as well: 192.168.10.0/24 and 192.168.20.0/24.Both private networks use MikroTik router as a gateway.VPN site-to-site tunnel using IPSec setup is created in MikroTik routers between two private networks: 10.10.10.0/24 and 10.10.20.0/24.This guide describes the following situation:
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |